{ config, container, lib, pkgs, ... }: let cfg = config.container.module.vpn; wireguardPeers = let mkPeer = name: ip: PublicKey: { inherit PublicKey; PresharedKeyFile = "/var/lib/wireguard/preshared/${name}"; AllowedIPs = [ "${ip}/32" ]; }; in [ (mkPeer "dashaphone" "10.1.1.3" "O/3y8+QKEY8UoLVlmbc8xdhs248L4wtQcl1MsBBfoQo=") (mkPeer "laptop" "10.1.1.9" "xxoCNPSB86zs8L8p+wXhqaIwpNDkiZu1Yjv8sj8XhgY=") (mkPeer "phone" "10.1.1.5" "bFmFisMqbDpIrAg3o/GiRl9XhceZEVnZtkegZDTL4yg=") (mkPeer "tablet" "10.1.1.6" "BdslswVc9OgUpEhJd0sugDBmYw44DiS0FbUPT5EjOG0=") (mkPeer "work" "10.1.1.2" "Pk0AASSInKO9O8RaQEmm1uNrl0cwWTJDcT8rLn7PSA0=") ]; in { options.container.module.vpn = { enable = lib.mkEnableOption "the vpn server."; address = lib.mkOption { default = "10.1.0.23"; type = lib.types.str; }; port = lib.mkOption { default = 51820; type = lib.types.int; }; storage = lib.mkOption { default = "${config.container.storage}/vpn"; type = lib.types.str; }; }; config = lib.mkIf cfg.enable { systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" "data/preshared" ]; containers.vpn = container.mkContainer cfg { bindMounts = { "/var/lib/wireguard" = { hostPath = "${cfg.storage}/data"; isReadOnly = false; }; }; config = { ... }: container.mkContainerConfig cfg { networking.useNetworkd = true; boot.kernel.sysctl = { "net.ipv4.conf.all.src_valid_mark" = 1; "net.ipv4.ip_forward" = 1; }; environment.systemPackages = with pkgs; [ wireguard-tools ]; systemd.network = { enable = true; netdevs = { "50-wg0" = { inherit wireguardPeers; netdevConfig = { Kind = "wireguard"; MTUBytes = "1300"; Name = "wg0"; }; wireguardConfig = { ListenPort = cfg.port; PrivateKeyFile = "/var/lib/wireguard/privkey"; }; }; }; networks.wg0 = { matchConfig.Name = "wg0"; address = [ "10.1.1.0/24" ]; networkConfig = { IPMasquerade = "ipv4"; IPv4Forwarding = "yes"; }; }; }; }; }; }; }